#525: Overall review of features which enable/disable subframe or subresource capabilities

Visit on Github.

Opened Jun 15, 2020

We're concerned with the large number of features used to constrain/grant access to capabilities in subframes/subresources. The large number of related, yet distinct knobs, and the different kind of knobs, makes it challenging for authors to do the right thing.

We hope that a review of all of these mechanisms may identify areas where simplification or consolidation could occur while still enabling all necessary use cases. We also hope this review will result in related changes to the Web Platform Design Principles document, to help spec authors in the future when they consider adding yet another feature in this area.

This came up during our review of #397. Possibly-related older reviews include

  • #154
  • #159
  • #203
  • #225
  • #250
  • #280
  • #300
  • #331
  • #339
  • #341
  • #347
  • #369
  • #408
  • #427
  • #497

Discussions

Discussed Jun 1, 2020 (See Github)

Tess: we're worried about script isolation... iframes... Take a step back and make a holistic review.

[Tess & David

Comment by @dbaron Jun 15, 2020 (See Github)

This is closely related to w3ctag/design-principles#41.

Discussed Jul 1, 2020 (See Github)

David: smaller breakout with Tess required?

Yves: I sent mail to webappsec working group to ask if they were interested in helping but have not heard anything back.

Peter: schedule breakout time for tomorrow?

David: Will try sometime this week

Discussed Aug 1, 2020 (See Github)

Tess: This is a big chunk of work. Ideally we can come up with a table of all features, APIs and what their behavior is in terms of capabilities inherited by parent browsing context etc. ... I will schedule time for myself and Rossen to work on this tomorrow.

Comment by @cynthia Sep 24, 2020 (See Github)

Also: https://github.com/w3ctag/design-principles/issues/144

Discussed Jan 1, 2021 (See Github)

Rossen: I think Tess and I had a spreadsheet.... did we ever find it? We spent an hour building it in a breakout at some point.

(pinged Tess and got a link to the spreadsheet).

Comment by @dbaron Jan 26, 2021 (See Github)

@hober and @atanassov started a spreadsheet to build up information about these features in a prior breakout.

Discussed Feb 1, 2021 (See Github)

Skipped.

Discussed May 1, 2021 (See Github)

Ran out of time before we got to this.

Discussed Apr 1, 2023 (See Github)

Discussion about the conceptual overlap between these feature controls and the Spectre/Meltdown mitigations, wondering if the same task force that looks at CO* headers should look at these controls. Ideally maybe a common control layer can be created for authors to enable features that also mitigates Spectre/Meltdown under a layer of abstraction.

Discussed Jan 1, 2024 (See Github)

we discuss closing this since we haven't made progress

Lea: could it be a principle?

Tess: we are the right group to do this --

Sangwhan: it would take an entire f2f...

Dan: topic for TAG future?

Sangwhan: We have to go through all that's currently available - requires a focussed issue.

Tess: 468 is also similar.....